Krebs on Security

In-depth security news and investigation

U.K. Man Avoids Jail Time in vDOS Case

A U.K. man who pleaded guilty to launching more than 2,000 cyberattacks against some of the world’s largest companies has avoided jail time for his role in the attacks. The judge in the case reportedly was moved by pleas for leniency that cited the man’s youth at the time of the attacks and a diagnosis of autism.

In early July 2017, the West Midlands Police in the U.K. arrested 19-year-old Stockport resident Jack Chappell and charged him with using a now-defunct attack-for-hire service called vDOS to launch attacks against the Web sites of Amazon, BBC, BT, Netflix, T-Mobile, Virgin Media, and Vodafone, between May 1, 2015 and April 30, 2016.

One of several taunting tweets Chappell sent to his DDoS victims.

Chappell also helped launder money for vDOS, which until its demise in September 2016 was by far the most popular and powerful attack-for-hire service — allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most Web sites offline.

Using the Twitter handle @fractal_warrior, Chappell would taunt his victims while launching attacks against them. The tweet below was among several sent to the Jisc Janet educational support network and Manchester College, where Chappell was a student. In total, Chappell attacked his school at least 21 times, prosecutors showed.

Another taunting Chappell tweet.

Chappell was arrested in April 2016 after investigators traced his Internet address to his home in the U.K. For more on the clues that likely led to his arrest, check out this story.

Nevertheless, the judge in the case was moved by pleas from Chappell’s lawyer, who argued that his client was just an impressionable youth at the time who has autism, a range of conditions characterized by challenges with social skills, repetitive behaviors, speech and nonverbal communication.

The defense called on an expert who reportedly testified that Chappell was “one of the most talented people with a computer he had ever seen.”

“He is in some ways as much of a victim, he has been exploited and used,” Chappell’s attorney Stuart Kaufman told the court, according to the Manchester Evening News. “He is not malicious, he is mischievous.”

The same publication quoted Judge Maurice Greene at Chappell’s sentencing this week, saying to the young man: “You were undoubtedly taken advantage of by those more criminally sophisticated than yourself. You would be extremely vulnerable in a custodial element.”

Judge Greene decided to suspend a sentence of 16 months at a young offenders institution; Chappell will instead “undertake 20 days rehabilitation activity,” although it’s unclear exactly what that will entail.

ANALYSIS/RANT

It’s remarkable when someone so willingly and gleefully involved in a crime spree such as this can emerge from it looking like the victim. “Autistic Hacker Had Been Exploited,” declared a headline about the sentence in the U.K. newspaper The Times.

After reading the coverage of this case in the press, I half expected to see another story saying someone had pinned a medal on Chappell or offered him a job.

Jack Chappell, outside of a court hearing in the U.K. earlier this year.

Yes, Chappell will have the stain of a criminal conviction on his record, and yes autism can be a very serious and often debilitating illness. Let me be clear: I am not suggesting that offenders like this young man should be tossed in jail with violent criminals.

But courts around the world continue to send a clear message that young men essentially can do whatever they like when it comes to DDoS attacks and that there will be no serious consequences as a result.

In September 2016, vDOS was taken offline and its alleged co-creators — two Israeli man who created the business when they were 14 and 15 years old — were arrested and briefly detained by Israeli authorities. But despite assurances that the men (now adults) would be tried for their crimes, neither has been prosecuted.

In July 2017, a court in Germany issued a suspended sentence for Daniel Kaye, a 29-year-old man who allegedly launched extortionist DDoS attacks against several bank Web sites.

In his trial, Kaye admitted that a customer of his paid him $10,000 to attack the Liberian ISP Lonestar. He’s also thought to have launched DDoS attacks on Lloyds Banking Group and Barclays banks in January 2017. Kaye is now facing related cybercrime charges in the U.K.

Like Chappell, the core author of Mirai — 21-year-old Fanwood, N.J. resident Paras Jha — launched countless DDoS attacks against his school, costing Rutgers University between $3.5 million and $9 million to defend against and clean up after the assaults (the actual damages will be decided at Jha’s sentencing in March 2018).

Time will tell if Kaye or Jha and his co-defendants receive any real punishment for their crimes. But I would submit that if we don’t have the stomach to put these “talented young hackers” in jail when they’re ultimately found guilty, perhaps we should consider harnessing their skills in less draconian but still meaningfully punitive ways, such as requiring them to serve several years participating in programs designed to keep other kids from following in their footsteps.

Doing anything less smacks of a disservice to justice, glorifies DDoS as an essentially victimless crime, and serves little deterrent that might otherwise make it less likely that we will see fewer such cases going forward.

This entry was posted on Thursday, December 21st, 2017 at 8:56 am and is filed under Ne'er-Do-Well News.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

73 comments

offcourse who doesnt? and if its white collar thing,can we classified this as crime? and did he used internet connection with his passport? well i think to proof his guilt is other factor.
as western society people have still humen rights.

So here is where I am at with this.
Those intelligent enough to commit these crimes, whatever their age, know full well that what they are doing is wrong and that there could be severe consequences for being caught. They even go to extraordinary lengths to hide their true identities because they know just how harmful their actions are.
If they are subsequently caught, the full weight of the law should descend upon them. You do the crime, you do the time.
On the other hand, sentencing children to years of jail time for what is a non-violent crime, especially if it is the first time they have been caught, seems excessive and ultimately self-defeating. After being in jail what job are they going to get to feed themselves other than one that involves illegal activity?
That is what I cannot reconcile – I want both severe punishment and lenient rehabilitation, but that cannot exist in our current system.

Well, almost… Speaking in population averages, it’s well known by neuroscientists that the Frontal Lobe’s neural connections are not fully myelinated until 25 or so. The Frontal Lobe is the inhibitory/control part of the limbic system (read about Phineas Gage, who had his Frontal Lobe destroyed, as a dramatic example of its importance). So their Frontal Lobes are basically “offline.” The insurance companies are aware of the effects upon male behavior (and this is also one of the big reasons the US military wants new recruits to be under 25). The US courts have come a long way, but the law does not consider these kinds of facts very well; other than the “magical” night in every American’s life when you go to bed 17 years old and wake up the next day 18 years old… (haha!)

My “Frontal Lobe’s neural connections were not fully myelinated until 25 or so” also, but nevertheless, I realized the life ruining consequences of getting involved in criminal activity. Thus, I remained just a general hell raiser until my brain was fully developed.

Because the law, in general, is based on whether you know right from wrong…not how well you control your impulses to do wrong.

When we go down the path of forgiving behavior as “well the brain wasn’t fully mylienated…” we are going down the same path that used to let people off for crimes of passion “Oh, they just couldn’t control themselves finding their wife in bed with another man!”

From there it is just a short leap to forgiving poor misbegotten Harvey Weinstein, he was a man and we know men sexual impluses! Some more than others!

How we treat the criminal may vary based on the individual, but we shouldn’t be waving a hand and holding that broad swaths of society who are mature enough to know right from wrong aren’t given a free pass because they don’t have the same impulse control of others.

One form of punishment would be to restrict computer and internet usage over the next 10 years, to only those computers, smartphones, etc. that have had government monitoring software installed. The computers, etc. would have to be supplied by court approved means. The perp’s home, workplace, etc. would be subject to unannounced searches. Couple that with an ankle bracelet tracker. So no going to your friend’s house or cybercafés to circumvent the court order.

That would drive them crazy.

Maybe also have to register as a Hex Offender too. Not trying to be too funny, as it might work.

Interesting, to see someone justify unacceptable behavior. So, I can Rob a bank, and get a fingerslapp. If I do it over the internet? But go to jail if I do it in person? Taking without authorization either way is a crime. Just as denying a business of revenue, by blocking customers entry,

Thousands of studies make it clear that jail time tends to criminalise rather than the opposite and is largely counter-productive for non-violent crimes. It’s also extremely expensive. (Unless you’re American and use prisoners as slave labour to produce cheap goods in an odd, anti-capitalist attempt to compete with China.)

Are you conflating society’s desire to better itself with your desire for revenge?

The U.K. has always been lenient with sentencing for criminal convictions. No surprises there. Even murderers get, at most 10 years. I think Brian’s point is well-taken – this sends a message to these “brilliant” young criminals that it’s worth taking a chance on a criminal conviction to make some cool cash, since the punishment will not fit the crime.

You’re not the first person to note that the UK has a very lenient justice system focusing on the needs of the offender. Only yesterday there was a tale of a man who shook his six month old baby to death. He got 7 years, and all sentences in the UK are automatically halved, so he will serve 3.5 years. If that’s what they give you for killing a baby you can’t expect anybody to serve serious time for a computer crime, can you?

You know most states in the US still have capital punishment, and unless something changed while I wasn’t looking its still part of the federal courts as well. The US has executed mentally retarded people, a man of otherwise sound mind who shook his baby to death would be strapped to an express train to the needle.

The UK very nearly has cameras on every corner, cameras on every road, multiple ways of monitoring every minute of your every day, and what does the UK do when they actually catch a criminal? Slap him on the wrist. They could forgo the surveillance state and slap criminals on the wrist just as easily. It’d be cheaper too. Just think, no more need for austerity measures.

It’s worth noting that for people under the age of 25, the “consequence-reasoning” area of the brain is underdeveloped. It’s easy to say “He should have known better.”, but that’s not necessarily the proper argument. Perhaps “He knew better, but he lacked the mental facilities to reliably connect his actions with how they affect other people” is a better statement to make – it’s supported by the body of childhood and adolescent psychology research, at least. Point is, this is the same as when you were young, did something astoundingly, obviously stupid, then right after doing it had that “Oh crap why did I do that” moment. That’s your brain literally being impaired when it comes to consequence reasoning. Every 16 year old does very stupid things, he just happened do something stupid that he got caught for. At the very least, at least his stupidity didn’t do anything but cost some businesses time and money.

>He knew better, but he lacked the mental facilities to
>reliably connect his actions with how they affect other
>people

A not insignificant point to the law is to provide boundaries to people who have the mental faculties to know right from wrong…even if they personally can not reliably connect how their actions affect other people.

I love your work Brian, but need to respectfully pull you up on “autism can be a very serious and often debilitating illness”.

The National Autistic Society term it a developmental disability, and say “Autistic people see, hear and feel the world differently to other people. If you are autistic, you are autistic for life; autism is not an illness or disease and cannot be ‘cured’.”

“The extent of autism’s transformation became apparent in a massive survey of parents published in 2009. U.S. health authorities were surprised to find that nearly 40% of children once identified as autistic no longer had the diagnosis. The findings suggest that autism, still officially a lifelong condition, has become such a broad and fluid concept that it can be temporary. “

It is unfortunate that the judge accepted the idea that Jack Chappell’s autism was a valid reason for allowing him to escape punishment for his actions. Autism causes one to have difficulty relating to others but it in no way precludes one’s ability to understand that when you do something hurtful to another, that other will feel pain, or that hurting others is wrong. Granted these facts need to be taught; they are not innate, not even in people who aren’t autistic. However, with autistic children, sometimes the teaching is more complex and the learning curve longer.

Maybe the young guy is brilliant. But it doesn’t take brilliance to hire a vdos service, just money.

I should think that a significant sentence of community service, working for some kind of charity, would be appropriate. If possible the sentence should be long enough that this guy becomes seriously invested in the charity’s work. Ideally he should get the supervision he needs to take his community service seriously.

Computers run the world now – every aspect of our lives – from the food we eat (and the money used to buy it) to the electricity we consume and the volume of medication we need.

We should be asking why it is that parents, grand-parents, uncles, doctors, scout leaders, vicars, football coaches, and teachers from nursery (kindergarten) upwards are not all instilling the essential rights and wrongs of Information Technology into children, alongside the more traditional rights and wrongs of the world.

None of this will strop cyber crime, but judges would be free to hand out proportionate sentences if they knew that the person in front on them was in no doubt what they were doing.

Yes, the sentence is bonkers – but it reflects society’s ‘no victim’ attitude to cyber crime.

Why should white collar crime be exempt from jail time? White collar crime is REAL CRIME. I see very little difference between someone breaking into computers to steal vs breaking into your place of business or home, to accomplish the same theft.

In both cases potential violence can be mitigated, and no deadly weapons used, but the violation (and loss) are the same to the victim.

Of course the circumstances (age, mental condition, prior offenses) should be used in the calculation of the sentence. But white collar criminals should NOT get a pass. Real time for Real crime!

I mean, why is this a bad thing though? Increasing cybercrime means increasing demand for cybersecurity, which benefits those in the security industry including you and me. If it damages the wealthy, why should we care? Hacking them should be a good thing because it punishes them for their poor security and benefits the middle class. They probably drink wine more expensive than our cars and think of us as plebeians anyways, so why should we care about their fortunes?

Security jobs are hard to get, and don’t pay nearly as much as crime, and the risk is fairly low, so it’s hardly a surprise there is so much cybercrime. Greater punishments won’t discourage future criminals because of the low risk they don’t consider the possibility of getting caught. Don’t blame him, blame the system.

Your comment smacks of someone who is either engaged in cybercrime or who comes from (or longs to come from) a culture where property rights and justice for its own sake hold zero value. Or you’re just trolling, I can’t tell.

Using Authistihm as excuce to do crime is nonsence, or atleast such perosn should be placed to cure for decade, that is what happens on normal crimes. DDOS or any other interweb crime has toll to pay to our normal people everyday life. I do not want to pay more service money to my Bank, cause they need to protect against new ddos, who wants ?

It is generally not a good idea for serious journalists to put themselves out there as expert witnesses. When you do that, you open yourself up to being cross examined and potentially compelled to answer questions about sources, methods, etc. Also, I’m of a mind it generally is a good idea to avoid going to court unless absolutely necessary (or compelled to by jury duty, summons, etc).

However, seeing this sentence: “Also, I’m of a mind it generally is a good idea to avoid going to court unless absolutely necessary (or compelled to by jury duty, summons, etc).” troubles me. To me it implies the legal system in the U.S. is (or has become) something a law abiding citizen must fear.

One never knows what will happen in court. I once went to traffic court over several parking tickets that were clearly issued in the wrong — counting on the fact that most people won’t bother to take the time to contest them. I did, but the first court date I missed because a co-worker called in sick and no one else could cover for him (I called in the day of the court date and the clerk agreed to reschedule my court date).

The day of the second court date, I arrived in court early and sat through 3 hours of cases before they called mine, all the while watching in horror as the judge dismiss one drunk driving case after another. My case gets called, I stand up and have all kinds of pictures and evidence to back up my dispute, and the judge says to me, “Mr. Krebs, I see here that you were supposed to be in my courtroom here 2 weeks ago. What happened?” I explained my absence and the judge said, “You know I could hold you in contempt of court, fine you and hold you in jail overnight?” I stood there dumbfounded without response for what seemed like eternity, after which he ordered me to pay double the fines I would have paid if I’d just paid the tickets, plus a court fee. On top of that, I’d taken a day off work to go to court, so that was an expensive learning lesson.

That’s a small, relatively harmless example, but the advice to avoid going before a judge is as old as the bible, and with good reason (regardless of the country).

” perhaps we should consider harnessing their skills in less draconian but still meaningfully punitive ways, such as requiring them to serve several years participating in programs designed to keep other kids from following in their footsteps.

Doing anything less smacks of a disservice to justice, glorifies DDoS as an essentially victimless crime, and serves little deterrent ”

The best thing B can do is hope to be a source for good people to refer to. Like, instead of relying on an expert witness, the Judges and lawyers should refer to this site, and the ideas from all contributors within all components of the site.

Like the suggestion above: put them to work. Not let them off. Nobody who has done wrong should ever be let off without paying a price. Either no ice cream, public pelting, public service, cleaning up city streets, something. Puhleeze.

A lawyer is tasked with conjuring a defence and this is more often the excuse rather than the reason for the offense. If the defendant’s excuse is the combination of immaturity and a savant syndrome (e.g. autistic savant) that is an argument for diminished capcaity. The defendant’s reason is probably completely logical, at least from their point of view. They used their skills knowing they were committing a crime, knowing the consequences would be dire (to their victims) and revelling in their accomplishments. The percentage of these defendants with severe savant syndrome is in question, though it is probably higher with the more successful ones. They all lack social interest to a varying degree. I’d argue that the majority are more likely greedy, unscrupulous bad asses.

With our understanding of the brain so limited, Judges seem to be airing on the side of caution when dealing with diminished responsibility. They are questioning whether committing these individuals to a penitentiary is wise. Unfortunately the plain old bad asses are evading justice as well.

question? if we see talented and skilled guys like him?
why we dont give smart and talented guys high paying jobs ?
then they dont have to steal! or those cyber-crooks can become cyber security experts,and they will be best at protecting average sitzens from threats! why goverment dont use those guys to do good things for society? society any society needs talented clever people!!!
why we dont do things right?

Half of these guys already think that criminal hacking and getting arrested for it — combined with the inevitable media attention afterward — are the keys to getting a job as a security researcher. Giving them high-paying jobs would only guarantee that we see a LOT more of this, because it would reinforce the idea that there are zero negative consequences for criminal hacking.

Mr. Krebs yes you are right! thats true very true in healty thinking healty mindset world but for some reason our society is complitely up side down. but anyways the question is why guys like this can not find the better purpose for society?? forexample,the fire is good or bad fire can used for good purposes or you can burn whole forest with fire if you dont have control over fire:) so talented people are like fire if someone dont direct their skill and ability for good then they will use it for bad.

….NO jail-time??? These crimes need to have mandatory sentencing that sends to proper message to these criminals.
“Autism” is going to be the ‘new plea’ now that this case has set the precedent. Shame on the court system for allowing this.
These bad actors should be put to work in prisons doing manual labor (Scrubbing toilets/Laundry/etc) and solitary confinement. They need to learn what hard labor is and feel the consequences of their bad actions.
Once again just like the helicopter parenting today there’s no follow-through to show these kids there are consequences for making the wrong decisions in life. This is a complete dis-service in regards to training our youth how life really works. Parents need to be parents and not your kids best friend. As parents you need to be clear with your kids that mommy and daddy can’t make everything better, you don’t get trophy’s for participation in life and they cannot get you a promotion at work. Life has RULES and is hard at times and only dedicated hard work over a long period of time will allow you to EARN it.

I dunno about “new plea”. Mental conditions have ever been an excuse proffered for all kinds of crime, from misdemeanor through felony.

When I was growing up, one town over from me there was a fellow who during an arrest, managed to shoot a cop to death.

The circumstances were somewhat freakish. The officer was wearing body armor, but the guy managed a sort of “miracle shot” where the bullet passed through a space under the arm and into the officer’s heart- almost immediately killing him.

When this one went to court, Attention Deficit Disorder was the proffered excuse. I seem to recall the judge rejected it as significant in any way to the circumstances- as well he should.

I have it myself. Yet I’ve managed to keep the inevitable urge to murder the constabulary in check… somehow. I credit treating my issues as something to be planned around and compensated for rather than something to be reviled, feared and ultimately buried instead of confronted.

I was diagnosed around that time (30-ish years back), when the rate of diagnosis was rising, as were claims/critiques of over-diagnosis, and of course debacles like this one- successful or not- weren’t helping.

But it tells you something too: if these conditions weren’t very real- with very real consequences and adverse affects on people- they wouldn’t keep cropping up as excuses in court cases like this.

Let’s be honest here though, this probably has as much (if not more) to do with society at large not taking anything involving “computer stuff” very seriously. In 30 years it’s gone from being a hobbyist’s spare time waster to being the nearest neighbor to the currency of the realm.

Those of us involved in the trade understand this seriousness. But most of society is still stuck on the idea that this is all harmless- if intriguing- puttering that ultimately affects them very little.

Maybe secret services and the police need some easily controlled hackers for dirty operations?
They can be kept under surveillance, under the terms of some sort of supervised release. If they don’t comply, it’s easy to send them back to jail for meaningful or insignificant parole violations. And if they brag about what they do, nobody will believe them and they can be silenced immediately.
So such compromised people may be too valuable to be sent to jail.
Or does this only happen in books and movies?